Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

mikejuk writes "Java Development Kit 8, planned for September 2013, is being delayed until next year because of 'a renewed focus on security.' Java has been having security publicity problems recently, but Oracle now seems to be taking them more seriously. Mark Reinhold, chief architect of the Java platform group, said, 'Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8.' The major change still to be made to Java 8 is Project Lambda, which Reinhold says is 'the sole driving feature of the release.' He laid out alternatives, such as dropping Lambda from this release, but said Oracle has decided instead to wait until Lambda is ready. The revised schedule for JDK 8 has a developer preview scheduled for September, a release candidate scheduled for January 2014, and general availablity scheduled for March 2014. The delay means that Java SE 9 will probably be released in early 2016, rather than late 2015."

Ah, well that is the trick. Oracle (and Sun before them) doesn't DO security updates. They don't understand what patch even means. They only do full versions. So when you go from say 1.7.0_11 to 1.7.0_21, you are actually uninstalling an entire version of their runtime and installing a new one. People wouldn't put up with that shit from Microsoft. Heck, even Adobe does patches for Reader much of the time now (although they do a mysterious full in there once in awhile too). The worst part is that they don't

Its GPLv2 (and as far as I can tell there are no restrictions on distributing modified versions of Java, plenty of linux distros seem to do it) so why not fork it and give people who need Java for some reason but dont want the crap that goes with it (crappy bundle-ware, security holes that go unfixed for months etc etc) can get an alternative that doesn't suck.

Doesn't' a 'renewed' focus on security imply the existence of a focus on security at some prior point in time?

Sure, the JVM itself always got a reasonable amount of love, and the historically-comical nature of Windows security took some of the heat off browser plugins; but has the 'well, if we just add a sandbox, we can take something that works fairly well for instruction-set and OS abstraction of trusted workloads and adapt it to the 'run any old shit the internet throws at you' use case ever been anythin

Doesn't' a 'renewed' focus on security imply the existence of a focus on security at some prior point in time?

a "renewed" focus on security implies that they were focused on security but then quit, and now are going back to it. So the real question is why did they abandon the focus on security.

Of course, the obvious answer is that there never was any focus on security and now saying that they have a "renewed focus on security" is 100% pure Public Relations Bullshit.

I'm sure the developers from Sun stopped caring after they all nearly lost their jobs to bankruptcy. Then they were purchased by Oracle and as any big company transition happens, they lose certain perks. It sounds like management has put their foot down and told people to fix their shit.

If security was at all a real concern, let alone a priority, java would never install itself as a plugin in every browser it can find, ready to run arbriary code from untrusted sources, by default and with every update. All credability here has been lost ages ago.

The only credibility that has been lost is from people who assume Java is intended to run arbitrary code and do not understand it's security model.

There are still distinct limitations on what the JVM allows to be executed from browser plugins without signing and executing a signed application gives you all the security prompts you'd expect and is in fact really not all that different to a download link where the user gets a "save" or "open" button that lets them execute genuinely arbitrary code. Or in other

That's from the current Java release trying to load Oracle's Java detection applet [java.com]. And before you ask, I'm required to have Java installed for work because one of our apps relies on an applet.

"untrusted" applets show no warning on startup and are run in a sandbox that is supposed to limit their access to your computer and network. Unfortunately that sandbox has proven time and time again to have bugs that provide ways for the code inside to "escape" the sandbox and do what it wants to your computer.

"trusted" applets show that warning on startup. Then if the user clicks yes the applet gets the ability to do whatever the hell it likes.

It was forked: http://en.wikipedia.org/wiki/OpenJDK [wikipedia.org]
The problem is that the browser plugin and WebStart parts of Java are not included in OpenJDK. But OpenJDK is excellent and widely used.

Sun open sourced the main components of Java 6 as OpenJDK. Notably exceptions are the Java browser plugin and web start. IcedTea was a fork by Redhat but now they are OpenJDK contributors. What people refer simply as Java covers a lot of different things (compiler, library, plugin, hotspot jvm, etc).Read the article on wikipedia for more details: http://en.wikipedia.org/wiki/OpenJDK [wikipedia.org].

OpenJDK is the official Java 7 reference platform and is fully "open", Oracle java is basically OpenJDK with a different browser plugin and some proprietary components (webstart , hotspot, etc) and while IcedTea used to be a full java implementation, it is my understanding that it is basically just an open source version of the proprietary components (WebStart) now.

Oracle is one of the main sponsors/contributors to OpenJDK as well as Redhat and a slew of other companies. The Wikipedia

When Sun announced that they were going to open source Java they got a lot of bashing of people here because they didn't want to believe it or because Sun was slow in its process. Some things are not instantaneous (code reviews, packaging, third party licenced components, etc) and people should not have unrealistic expectations on this. But they Sun was true and open sourced the main components of Java. I don't know if Oracle plans to continue on this path with the remaining components but they are not the

You're comparing apples and oranges. First, security was less of an issue back when Sun was the "legal guardian" of Java. Second, it was also more of a community project then. It was far more open than Oracle has allowed it to be.

Security was just as much of an issue then. It wasn't as obvious to some people because there weren't mainstream exploits being found in Java. Sun should have realized this a long time ago and fixed these security issues before they got into the news. This just shows sloppiness on their part.

Security was important then. But not as important. Nobody considered security to be such a big issue then. Hell, even Microsoft didn't... which is why IE was so full of holes.

But it wasn't as much of an issue because a lot fewer people were actively hunting for vulnerabilities, and a lot fewer vulnerabilities had been found. As you say: "there weren't mainstream exploits being found in Java". Yes there were, just not nearly as many. Nor were there nearly as many people trying to find them.

So then, you're saying that after 12 years of prior development, Sun should have fixed all possible Java vulnerabilities in the 3 years prior to Java being released as Open Source. Before most of the vulnerabilities we know about today were even discovered.

They should have fixed them in the 90s. People who knew were very worried about security by that time (including some people at Sun!). By the mid 2000s it was so obvious that even dogs and cats should have were aware that security was an issue.

For chrissakes, will somebody just fork Java and have done with this persistent Oracle nonsense?

I mean, sure, it's good Oracle is doing this. They're just way late, as usual.

Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes?

Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier.

I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.

And why exactly would "someone" want to do that? Why exactly would "someone" want to take on something that you admit is "a lot of work". Whats in it for that "someone"? What do they get for the many, many months of hard work that would be required to do this?

Instead of demanding that "someone" do it, why don't YOU do it?

What's that you say? You don't have the programming skills? You don't know anything about the code base and wouldn't even know where to start? You don't feel like spending an enormou

For chrissakes, will somebody just fork Java and have done with this persistent Oracle nonsense?
I mean, sure, it's good Oracle is doing this. They're just way late, as usual.
Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes?
Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier.
I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.

Better yet. Why don't the people being paid to write Java stop making ridiculous security mistakes? You can blame Oracle management but somewhere there's a developer taking shortcuts.

Strange fortune cookie or whatever else that quote at the bottom of a Slashdot page is called:To err is human; to forgive is simply not our policy. -- MIT Assasination ClubSeems somewhat awkward given events in Boston over the last 24 hours.

I feel like one of those UFO people standing in a field waiting for little green men to pop out of flying saucers on the second blue moon when the planets line up just right with the moon. I want to believe, really I do want to believe. But like the buffoon in the field waiting on the little green men I'm going to be waiting a very long time before Oracle/gets/ security.

It takes a lot more than simply delaying a given release of a given product to get your security ducks in a row. Here are some things Orac

At the 2005 JavaOne trade show, it was announced that Sun Microsystems' Java cross-platform software environment would be included in all Blu-ray Disc players as a mandatory part of the standard. Java is used to implement interactive menus on Blu-ray Discs, as opposed to the method used on DVD-video discs.

Maybe if they hadn't let the featureset get so stale over the years, they wouldn't have to make a choice between cleaning up the mess that is Java vs. achieving parity with.Net. They should have added lambdas years ago, but it's like pulling teeth to get them to make major releases.

Why is Java still persisting with this notion that it should be a browser plugin? No one wants Java as a browser plugin and that's where the security vulnerabilities have been found. Meanwhile, in the area where Java is popular (the server and, to a lesser extent, desktop applications) and in need of the features that Java 8 was supposed to bring, these security problems are a secondary concern--there's very little need to worry about malicious code when you're not downloading it from an untrusted source.

It's time to retire Applets and Web Start entirely and leave Java to the things it's good at.

2- Sun and Oracle have invested a lot of money on JavaFX which (in browser environment) is the equivalent of Flash and Silverlight. It uses Applets to run. It is much cleaner and advanced than Flash and it may have a good future.

i.e. YOU. There were several game sites I used to frequent and there are a lot of useful Java applets out there for things like education I used to run. While they were safe, I just got tired of the risk of possibly following a link to an exploit. Even some mainstream torrent sites are riddled with hostile applets. I found this out when I watched one start to install an EXE. Having to rebuild a system from scratch vs. disabling Java plugins is a no brainer.

One issue about anonymous classes is that if the implementation of your anonymous class is very simple, such as an interface that contains only one method, the syntax of anonymous classes may seem too unwieldy and unclear.

It could be argued that if you are manipulating classes that represent some sort of number or mathematical type, using methods like add() or multiply(), instead of using arguably much more intuitive operators is just as unwieldy or unclear (while the only sustainable argumen

Not all types for which operator overloading would make sense are a number, however.

Vectors and Matrices come to mind as immediate examples, and not all operators even necessarily make sense for both. More generally, any class which represents any kind of algebraic ring could sensibly have very intuitive operator overloading.

They learn how to properly use launchd items in OS X if they are going to be supporting Apple. Learning how to use a preference.plist so we can remotely manage updates without having to write bash scripts and stuff would help to

Many people here are completely missing the point. First the ones that say that Java is insecure (it's not) and the ones correcting them saying that the Java Browser Plugin/Java Applets that are insecure (they are right on this) and should be removed from Java.

The problem with Java Applets is the same problem that you have with ActiveX, they suck because they run third party code in a sand-box like manner and isolating that kind of code from your precious system is pretty hard. The people that implemente

Well, if we're going to get specific, okay. We agree and disagree on some things here. Java without some sort of qualifier refers to the ecosystem, right? So Java means the Java programming language, the Java compiler, the JVM (JRE), J2EE, the Java plugin... you know, all that stuff. The Java programming language isn't vulnerable, it's just a language. The rest of the Java products, the ones with actual executable code, are all exploitable and there are plenty of CVEs and breaches across the entire product

Sorry, you are saying that there are security bugs in older versions of the JRE that allow drive-in attacks when Java is used only in the server-side? Please provide some examples because I'm interested.Of course, if companies that spend millions in applications can't update the old versions it can't be blamed all on Java, could it? And yes, I know very well how companies work.

Regardless of whether he proves to be a shill or not, I think Daniel Hoffmann is 100% correct with this post. Every one of his points are spot on. Large IT Orgs are dinosaurs with a lot of inertia and it takes a lot to get them to start moving. Him blaming Microsoft seems a bit tongue-in-cheek to me as I don't think MS wants people to be using XP/IE8 anymore either.

There are many, many high end things out there that require Java Applets to manage,

Now that javascript is fast, that HTML5 is everywhere, that games can even run on Flash, please Oracle, kill the damn java browser plugin. Sure, Unity uses it. Do J2EE developpers around the world care about it? No, we do not care!
Kill the damn thing. It's slow to start and it will always be slow even with the Jigsaw vaporware. I don't wan't Java in my browser. We are in 2013, ActiveX was crap, Flash is crap, java applets were, are and will always be crap.

Disclaimer, I am a java/J2EE developper and I am totally tired of the reputation that java is getting because of this damn browser plugin.

Delays seem to help languages. Perl 6 was the best thing that happened to Perl, since it allowed Perl 5 to become mature and widely used. Python 3 was the worst thing to happen to Python. C++ was miraculously stable for over a decade until the new 2011 standard. Even Java 7 was delayed for a long time with the Sun->Oracle move, and that helped Java 1.5/1.6 mature and be deployed instead of older versions.

At the very least it should be either an optional (with the default set to "no") or separate install. There are still some systems that require it. I have an old HP JetDirect I still use to put an even older HP LaserJet 4 on our network, and it's interface is a Java applet.

In reality: Online payment's have become nightmare to do cause it frequently crashes during payment, and it's not always clear how you can restart only the payment process to avoid doing duplicate order to web store.

For their defense I can say that after last bug/update cycles of Java they seem to have become so frustrated also that they've decided to scrap that requirement, and in few mont

The problem is _WHERE_ java is actually used. For the most part that is "enterprise software" and embedded gear. At work its pretty much unavoidable, from the IP KVM's, and fibre switches with their java applets to enterprise middleware running all over the place. Its apparent what all those java developers have been doing for the last decade.

In many cases, simple HTML applications would have been much better but some organization hired a java programmer to write the back-end and the front-end ended up bei

Of course there will be a transition phase where those vendors will have to change their behavior, but that's absolutely doable. People said the same thing about Flash, but it turns out that it wasn't much of a problem.

It makes me a bit sad that Java in the browser never really took off to the extent that JavaScript did. These days we have people coming up with monstrosities like asm.js to make it possible to write fast, cross-platform applications, whereas the JVM is a compiler target that's been much better suited to the task for a decade and a half. I suppose its downfall was in its proprietary nature, lack of integration with the DOM, and slow start-up time. If the browsers had included an easily sandboxed subset o